“As part of the resolutions with the FTC and the state attorneys general, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,” said the statement. “Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Penalties insufficient, say experts
Roger Grimes, a defense evangelist at cybersecurity training company KnowBe4, cautioned security executives to not assume that the Marriott issues, which were mostly due to sloppiness and cutting corners, are unique to the hotel chain.
Don’t think Marriott “is a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,” Grimes said. “Most companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.”